Tool
EDR / XDR
Palo Alto Cortex XDR
763 rules · Sigma detections in Palo Alto Cortex XDR syntax
The same Sigma detection corpus, machine-rendered into Palo Alto Cortex XDR query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
Download all 1,524 rules (.zip, 675 KB)
Every Palo Alto Cortex XDR query in this view, packaged to deploy.
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance4
Resource Development5
Initial Access7
Execution25
Persistence31
Privilege Escalation17
Stealth63
Defense Impairment16
Credential Access26
Discovery24
Lateral Movement10
Collection11
Command and Control18
Exfiltration7
Impact10
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.
◈
Detection rules
50 shown of 763
high
Strong
Medium FP
Suspicious Child Process Created as System
Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE accounts
view Sigma YAML
title: Suspicious Child Process Created as System
id: 590a5f4c-6c8c-4f10-8307-89afe9453a9d
status: test
description: Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE accounts
references:
- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
- https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/
- https://github.com/antonioCoco/RogueWinRM
- https://twitter.com/Cyb3rWard0g/status/1453123054243024897
author: Teymur Kheirkhabarov, Roberto Rodriguez (@Cyb3rWard0g), Open Threat Research (OTR)
date: 2019-10-26
modified: 2024-12-01
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1134.002
logsource:
category: process_creation
product: windows
definition: 'Requirements: ParentUser field needs sysmon >= 13.30'
detection:
selection:
ParentUser|contains:
- 'AUTHORI'
- 'AUTORI'
ParentUser|endswith:
- '\NETWORK SERVICE'
- '\LOCAL SERVICE'
User|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
User|endswith: # System
- '\SYSTEM'
- '\Système'
- '\СИСТЕМА'
IntegrityLevel:
- 'System'
- 'S-1-16-16384'
filter_rundll32:
Image|endswith: '\rundll32.exe'
CommandLine|contains: 'DavSetCookie'
condition: selection and not 1 of filter_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious Child Process Of BgInfo.EXE
Detects suspicious child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript
view Sigma YAML
title: Suspicious Child Process Of BgInfo.EXE
id: 811f459f-9231-45d4-959a-0266c6311987
related:
- id: aaf46cdc-934e-4284-b329-34aa701e3771
type: similar
status: test
description: Detects suspicious child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript
references:
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/
- https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-16
tags:
- attack.execution
- attack.stealth
- attack.t1059.005
- attack.t1218
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith:
- '\bginfo.exe'
- '\bginfo64.exe'
selection_child:
- Image|endswith:
- '\calc.exe'
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\notepad.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\wscript.exe'
- Image|contains:
- '\AppData\Local\'
- '\AppData\Roaming\'
- ':\Users\Public\'
- ':\Temp\'
- ':\Windows\Temp\'
- ':\PerfLogs\'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious Child Process Of Manage Engine ServiceDesk
Detects suspicious child processes of the "Manage Engine ServiceDesk Plus" Java web service
view Sigma YAML
title: Suspicious Child Process Of Manage Engine ServiceDesk
id: cea2b7ea-792b-405f-95a1-b903ea06458f
status: test
description: Detects suspicious child processes of the "Manage Engine ServiceDesk Plus" Java web service
references:
- https://www.horizon3.ai/manageengine-cve-2022-47966-technical-deep-dive/
- https://github.com/horizon3ai/CVE-2022-47966/blob/3a51c6b72ebbd87392babd955a8fbeaee2090b35/CVE-2022-47966.py
- https://blog.viettelcybersecurity.com/saml-show-stopper/
author: Florian Roth (Nextron Systems)
date: 2023-01-18
modified: 2023-08-29
tags:
- attack.command-and-control
- attack.t1102
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|contains|all:
- '\ManageEngine\ServiceDesk\'
- '\java.exe'
Image|endswith:
- '\AppVLP.exe'
- '\bash.exe'
- '\bitsadmin.exe'
- '\calc.exe'
- '\certutil.exe'
- '\cscript.exe'
- '\curl.exe'
- '\forfiles.exe'
- '\mftrace.exe'
- '\mshta.exe'
- '\net.exe'
- '\net1.exe'
- '\notepad.exe' # Often used in POCs
- '\powershell.exe'
- '\pwsh.exe'
- '\query.exe'
- '\reg.exe'
- '\schtasks.exe'
- '\scrcons.exe'
- '\sh.exe'
- '\systeminfo.exe'
- '\whoami.exe' # Often used in POCs
- '\wmic.exe'
- '\wscript.exe'
# - '\hh.exe'
# - '\regsvr32.exe'
# - '\rundll32.exe'
# - '\scriptrunner.exe'
filter_main_net:
Image|endswith:
- '\net.exe'
- '\net1.exe'
CommandLine|contains: ' stop'
condition: selection and not 1 of filter_main_*
falsepositives:
- Legitimate sub processes started by Manage Engine ServiceDesk Pro
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious Child Process Of SQL Server
Detects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection.
view Sigma YAML
title: Suspicious Child Process Of SQL Server
id: 869b9ca7-9ea2-4a5a-8325-e80e62f75445
related:
- id: 344482e4-a477-436c-aa70-7536d18a48c7
type: obsolete
status: test
description: Detects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection.
references:
- Internal Research
author: FPT.EagleEye Team, wagga
date: 2020-12-11
modified: 2023-05-04
tags:
- attack.t1505.003
- attack.t1190
- attack.initial-access
- attack.persistence
- attack.privilege-escalation
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\sqlservr.exe'
Image|endswith:
# You can add other uncommon or suspicious processes
- '\bash.exe'
- '\bitsadmin.exe'
- '\cmd.exe'
- '\netstat.exe'
- '\nltest.exe'
- '\ping.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\sh.exe'
- '\systeminfo.exe'
- '\tasklist.exe'
- '\wsl.exe'
filter_optional_datev:
ParentImage|startswith: 'C:\Program Files\Microsoft SQL Server\'
ParentImage|endswith: 'DATEV_DBENGINE\MSSQL\Binn\sqlservr.exe'
Image: 'C:\Windows\System32\cmd.exe'
CommandLine|startswith: '"C:\Windows\system32\cmd.exe" '
condition: selection and not 1 of filter_optional_*
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious Child Process Of Wermgr.EXE
Detects suspicious Windows Error Reporting manager (wermgr.exe) child process
view Sigma YAML
title: Suspicious Child Process Of Wermgr.EXE
id: 396f6630-f3ac-44e3-bfc8-1b161bc00c4e
related:
- id: 5394fcc7-aeb2-43b5-9a09-cac9fc5edcd5
type: similar
status: test
description: Detects suspicious Windows Error Reporting manager (wermgr.exe) child process
references:
- https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html
- https://www.echotrail.io/insights/search/wermgr.exe
- https://github.com/binderlabs/DirCreate2System
author: Florian Roth (Nextron Systems)
date: 2022-10-14
modified: 2024-08-29
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1055
- attack.t1036
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\wermgr.exe'
Image|endswith:
- '\cmd.exe'
- '\cscript.exe'
- '\ipconfig.exe'
- '\mshta.exe'
- '\net.exe'
- '\net1.exe'
- '\netstat.exe'
- '\nslookup.exe'
- '\powershell_ise.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\systeminfo.exe'
- '\whoami.exe'
- '\wscript.exe'
filter_main_rundll32:
Image|endswith: '\rundll32.exe'
CommandLine|contains|all:
- 'C:\Windows\system32\WerConCpl.dll'
- 'LaunchErcApp '
CommandLine|contains:
- '-queuereporting'
- '-responsepester'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious Child Process of AspNetCompiler
Detects potentially suspicious child processes of "aspnet_compiler.exe".
view Sigma YAML
title: Suspicious Child Process of AspNetCompiler
id: 9ccba514-7cb6-4c5c-b377-700758f2f120 # SuspChild
related:
- id: 4c7f49ee-2638-43bb-b85b-ce676c30b260 # TMP File
type: similar
- id: 9f50fe98-fe5c-4a2d-86c7-fad7f63ed622 # Susp Paths
type: similar
- id: a01b8329-5953-4f73-ae2d-aa01e1f35f00 # Exec
type: similar
status: test
description: Detects potentially suspicious child processes of "aspnet_compiler.exe".
references:
- https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/
- https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-14
tags:
- attack.execution
- attack.stealth
- attack.t1127
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\aspnet_compiler.exe'
selection_child:
# Note: add other potential suspicious child processes and paths
- Image|endswith:
- '\calc.exe'
- '\notepad.exe'
- Image|contains:
- '\Users\Public\'
- '\AppData\Local\Temp\'
- '\AppData\Local\Roaming\'
- ':\Temp\'
- ':\Windows\Temp\'
- ':\Windows\System32\Tasks\'
- ':\Windows\Tasks\'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious Child Process of Notepad++ Updater - GUP.Exe
Detects suspicious child process creation by the Notepad++ updater process (gup.exe).
This could indicate potential exploitation of the updater component to deliver unwanted malware.
view Sigma YAML
title: Suspicious Child Process of Notepad++ Updater - GUP.Exe
id: bb0e87ce-c89f-4857-84fa-095e4483e9cb
status: experimental
description: |
Detects suspicious child process creation by the Notepad++ updater process (gup.exe).
This could indicate potential exploitation of the updater component to deliver unwanted malware.
references:
- https://notepad-plus-plus.org/news/v889-released/
- https://www.heise.de/en/news/Notepad-updater-installed-malware-11109726.html
- https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
- https://www.validin.com/blog/exploring_notepad_plus_plus_network_indicators/
- https://securelist.com/notepad-supply-chain-attack/118708/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-02-03
tags:
- attack.collection
- attack.credential-access
- attack.t1195.002
- attack.initial-access
- attack.t1557
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\gup.exe'
selection_child_img:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\cscript.exe'
- '\wscript.exe'
- '\mshta.exe'
selection_child_cli:
CommandLine|contains:
- 'bitsadmin'
- 'certutil'
- 'curl'
- 'finger'
- 'forfiles'
- 'regsvr32'
- 'rundll32'
- 'wget'
condition: selection_parent and 1 of selection_child_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious Child Process of SolarWinds WebHelpDesk
Detects suspicious child processes spawned by SolarWinds WebHelpDesk (WHD) application, which may indicate exploitation activity leveraging RCE vulnerabilities such as CVE-2025-40551, CVE-2025-40536, or CVE-2025-26399
view Sigma YAML
title: Suspicious Child Process of SolarWinds WebHelpDesk
id: 8c7f4a2d-3b9e-4f1c-9a6d-2e8f5c3d9a1b
status: experimental
description: |
Detects suspicious child processes spawned by SolarWinds WebHelpDesk (WHD) application, which may indicate exploitation activity leveraging RCE vulnerabilities such as CVE-2025-40551, CVE-2025-40536, or CVE-2025-26399
references:
- https://www.microsoft.com/en-us/security/blog/2026/02/06/active-exploitation-solarwinds-web-help-desk/
- https://www.huntress.com/blog/active-exploitation-solarwinds-web-help-desk-cve-2025-26399
- https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_2026-1_release_notes.htm
author: Huntress Team, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-02-11
tags:
- attack.initial-access
- attack.t1190
- cve.2025-26399
- cve.2025-40536
- cve.2025-40551
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|contains: '\WebHelpDesk\bin\'
ParentImage|endswith:
- '\java.exe'
- '\javaw.exe'
ParentCommandLine|contains: 'tomcat'
selection_suspicious_child:
CommandLine|contains:
- '-enc'
- 'base64'
- 'bitsadmin'
- 'certutil'
- 'curl'
- 'Invoke-RestMethod'
- 'Invoke-WebRequest'
- 'irm '
- 'iwr '
- 'mshta'
- 'msiexec'
- 'Net.WebClient'
- 'Start-BitsTransfer'
- 'wget'
- 'wmic'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
High FP
Suspicious Chromium Browser Instance Executed With Custom Extension
Detects a suspicious process spawning a Chromium based browser process with the 'load-extension' flag to start an instance with a custom extension
view Sigma YAML
title: Suspicious Chromium Browser Instance Executed With Custom Extension
id: 27ba3207-dd30-4812-abbf-5d20c57d474e
related:
- id: 88d6e60c-759d-4ac1-a447-c0f1466c2d21
type: similar
status: test
description: Detects a suspicious process spawning a Chromium based browser process with the 'load-extension' flag to start an instance with a custom extension
references:
- https://redcanary.com/blog/chromeloader/
- https://emkc.org/s/RJjuLa
- https://www.mandiant.com/resources/blog/lnk-between-browsers
author: Aedan Russell, frack113, X__Junior (Nextron Systems)
date: 2022-06-19
modified: 2023-11-28
tags:
- attack.persistence
- attack.t1176.001
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\wscript.exe'
Image|endswith:
- '\brave.exe'
- '\chrome.exe'
- '\msedge.exe'
- '\opera.exe'
- '\vivaldi.exe'
CommandLine|contains: '--load-extension='
condition: selection
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension/info.yml
Convert to SIEM query
high
Moderate
Medium FP
Suspicious ClickFix/FileFix Execution Pattern
Detects suspicious execution patterns where users are tricked into running malicious commands via clipboard manipulation, either through the Windows Run dialog (ClickFix) or File Explorer address bar (FileFix).
Attackers leverage social engineering campaigns—such as fake CAPTCHA challenges or urgent alerts—encouraging victims to paste clipboard contents, often executing mshta.exe, powershell.exe, or similar commands to infect systems.
view Sigma YAML
title: Suspicious ClickFix/FileFix Execution Pattern
id: d487ed4a-fd24-436d-a0b2-f4e95f7b2635
related:
- id: f5fe36cf-f1ec-4c23-903d-09a3110f6bbb
type: similar
status: experimental
description: |
Detects suspicious execution patterns where users are tricked into running malicious commands via clipboard manipulation, either through the Windows Run dialog (ClickFix) or File Explorer address bar (FileFix).
Attackers leverage social engineering campaigns—such as fake CAPTCHA challenges or urgent alerts—encouraging victims to paste clipboard contents, often executing mshta.exe, powershell.exe, or similar commands to infect systems.
references:
- https://github.com/JohnHammond/recaptcha-phish
- https://www.zscaler.com/blogs/security-research/deepseek-lure-using-captchas-spread-malware
- https://www.threatdown.com/blog/clipboard-hijacker-tries-to-install-a-trojan/
- https://app.any.run/tasks/5c16b4db-4b36-4039-a0ed-9b09abff8be2
- https://www.esentire.com/security-advisories/netsupport-rat-clickfix-distribution
- https://www.scpx.com.au/2025/11/16/decades-old-finger-protocol-abused-in-clickfix-malware-attacks/ # filefix variant
author: montysecurity, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-19
tags:
- attack.execution
- attack.t1204.001
- attack.t1204.004
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\explorer.exe'
CommandLine|contains: '#'
selection_cli_captcha:
CommandLine|contains:
- 'account'
- 'anti-bot'
- 'botcheck'
- 'captcha'
- 'challenge'
- 'confirmation'
- 'fraud'
- 'human'
- 'identification'
- 'identificator'
- 'identity'
- 'robot'
- 'validation'
- 'verification'
- 'verify'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious Command Patterns In Scheduled Task Creation
Detects scheduled task creation using "schtasks" that contain potentially suspicious or uncommon commands
view Sigma YAML
title: Suspicious Command Patterns In Scheduled Task Creation
id: f2c64357-b1d2-41b7-849f-34d2682c0fad
status: test
description: Detects scheduled task creation using "schtasks" that contain potentially suspicious or uncommon commands
references:
- https://app.any.run/tasks/512c1352-6380-4436-b27d-bb62f0c020d6/
- https://twitter.com/RedDrip7/status/1506480588827467785
- https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf
author: Florian Roth (Nextron Systems)
date: 2022-02-23
modified: 2024-03-19
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.t1053.005
logsource:
product: windows
category: process_creation
detection:
selection_schtasks:
Image|endswith: '\schtasks.exe'
CommandLine|contains: '/Create '
selection_pattern_1:
CommandLine|contains:
- '/sc minute '
- '/ru system '
selection_pattern_2:
CommandLine|contains:
- 'cmd /c'
- 'cmd /k'
- 'cmd /r'
- 'cmd.exe /c '
- 'cmd.exe /k '
- 'cmd.exe /r '
selection_uncommon:
CommandLine|contains:
- ' -decode '
- ' -enc '
- ' -w hidden '
- ' bypass '
- ' IEX'
- '.DownloadData'
- '.DownloadFile'
- '.DownloadString'
- '/c start /min ' # https://twitter.com/RedDrip7/status/1506480588827467785
- 'FromBase64String'
- 'mshta http'
- 'mshta.exe http'
selection_anomaly_1:
CommandLine|contains:
- ':\ProgramData\'
- ':\Temp\'
- ':\Tmp\'
- ':\Users\Public\'
- ':\Windows\Temp\'
- '\AppData\'
- '%AppData%'
- '%Temp%'
- '%tmp%'
selection_anomaly_2:
CommandLine|contains:
- 'cscript'
- 'curl'
- 'wscript'
condition: selection_schtasks and ( all of selection_pattern_* or selection_uncommon or all of selection_anomaly_* )
falsepositives:
- Software installers that run from temporary folders and also install scheduled tasks are expected to generate some false positives
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious Creation with Colorcpl
Once executed, colorcpl.exe will copy the arbitrary file to c:\windows\system32\spool\drivers\color\
view Sigma YAML
title: Suspicious Creation with Colorcpl
id: e15b518d-b4ce-4410-a9cd-501f23ce4a18
status: test
description: Once executed, colorcpl.exe will copy the arbitrary file to c:\windows\system32\spool\drivers\color\
references:
- https://twitter.com/eral4m/status/1480468728324231172?s=20
author: frack113
date: 2022-01-21
modified: 2023-01-05
tags:
- attack.stealth
- attack.t1564
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith: '\colorcpl.exe'
filter_ext:
TargetFilename|endswith:
- '.icm'
- '.gmmp'
- '.cdmp'
- '.camp'
condition: selection and not 1 of filter_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious Curl.EXE Download
Detects a suspicious curl process start on Windows and outputs the requested document to a local file
view Sigma YAML
title: Suspicious Curl.EXE Download
id: e218595b-bbe7-4ee5-8a96-f32a24ad3468
related:
- id: bbeaed61-1990-4773-bf57-b81dbad7db2d # Basic curl execution
type: derived
- id: 9a517fca-4ba3-4629-9278-a68694697b81 # Curl download
type: similar
status: test
description: Detects a suspicious curl process start on Windows and outputs the requested document to a local file
references:
- https://twitter.com/max_mal_/status/1542461200797163522
- https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464
- https://github.com/pr0xylife/Qakbot/blob/4f0795d79dabee5bc9dd69f17a626b48852e7869/Qakbot_AA_23.06.2022.txt
- https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/
- https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1105/T1105.md#atomic-test-18---curl-download-file
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2020-07-03
modified: 2023-02-21
tags:
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection_curl:
- Image|endswith: '\curl.exe'
- Product: 'The curl executable'
selection_susp_locations:
CommandLine|contains:
- '%AppData%'
- '%Public%'
- '%Temp%'
- '%tmp%'
- '\AppData\'
- '\Desktop\'
- '\Temp\'
- '\Users\Public\'
- 'C:\PerfLogs\'
- 'C:\ProgramData\'
- 'C:\Windows\Temp\'
selection_susp_extensions:
CommandLine|endswith:
- '.dll'
- '.gif'
- '.jpeg'
- '.jpg'
- '.png'
- '.temp'
- '.tmp'
- '.txt'
- '.vbe'
- '.vbs'
filter_optional_git_windows:
# Example FP
# CommandLine: "C:\Program Files\Git\mingw64\bin\curl.exe" --silent --show-error --output C:/Users/test/AppData/Local/Temp/gfw-httpget-jVOEoxbS.txt --write-out %{http_code} https://gitforwindows.org/latest-tag.txt
ParentImage: 'C:\Program Files\Git\usr\bin\sh.exe'
Image: 'C:\Program Files\Git\mingw64\bin\curl.exe'
CommandLine|contains|all:
- '--silent --show-error --output '
- 'gfw-httpget-'
- 'AppData'
condition: selection_curl and 1 of selection_susp_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_curl_susp_download/info.yml
simulation:
- type: atomic-red-team
name: Curl Download File
technique: T1105
atomic_guid: 2b080b99-0deb-4d51-af0f-833d37c4ca6a
Convert to SIEM query
high
Strong
Medium FP
Suspicious CustomShellHost Execution
Detects the execution of CustomShellHost.exe where the child isn't located in 'C:\Windows\explorer.exe'. CustomShellHost is a known LOLBin that can be abused by attackers for defense evasion techniques.
view Sigma YAML
title: Suspicious CustomShellHost Execution
id: 84b14121-9d14-416e-800b-f3b829c5a14d
status: test
description: |
Detects the execution of CustomShellHost.exe where the child isn't located in 'C:\Windows\explorer.exe'. CustomShellHost is a known LOLBin that can be abused by attackers for defense evasion techniques.
references:
- https://github.com/LOLBAS-Project/LOLBAS/pull/180
- https://lolbas-project.github.io/lolbas/Binaries/CustomShellHost/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-19
modified: 2025-10-29
tags:
- attack.stealth
- attack.t1216
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\CustomShellHost.exe'
filter_main_explorer:
Image: 'C:\Windows\explorer.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- False positives are unlikely, investigate matches carefully.
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious Debugger Registration Cmdline
Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).
view Sigma YAML
title: Suspicious Debugger Registration Cmdline
id: ae215552-081e-44c7-805f-be16f975c8a2
status: test
description: Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).
references:
- https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/
- https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/
author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro
date: 2019-09-06
modified: 2022-08-06
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1546.008
logsource:
category: process_creation
product: windows
detection:
selection1:
CommandLine|contains: '\CurrentVersion\Image File Execution Options\'
selection2:
CommandLine|contains:
- 'sethc.exe'
- 'utilman.exe'
- 'osk.exe'
- 'magnify.exe'
- 'narrator.exe'
- 'displayswitch.exe'
- 'atbroker.exe'
- 'HelpPane.exe'
condition: all of selection*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious Desktopimgdownldr Command
Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet
view Sigma YAML
title: Suspicious Desktopimgdownldr Command
id: bb58aa4a-b80b-415a-a2c0-2f65a4c81009
status: test
description: Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet
references:
- https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/
- https://twitter.com/SBousseaden/status/1278977301745741825
author: Florian Roth (Nextron Systems)
date: 2020-07-03
modified: 2021-11-27
tags:
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection1:
CommandLine|contains: ' /lockscreenurl:'
selection1_filter:
CommandLine|contains:
- '.jpg'
- '.jpeg'
- '.png'
selection_reg:
CommandLine|contains|all:
- 'reg delete'
- '\PersonalizationCSP'
condition: ( selection1 and not selection1_filter ) or selection_reg
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious Desktopimgdownldr Target File
Detects a suspicious Microsoft desktopimgdownldr file creation that stores a file to a suspicious location or contains a file with a suspicious extension
view Sigma YAML
title: Suspicious Desktopimgdownldr Target File
id: fc4f4817-0c53-4683-a4ee-b17a64bc1039
status: test
description: Detects a suspicious Microsoft desktopimgdownldr file creation that stores a file to a suspicious location or contains a file with a suspicious extension
references:
- https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/
- https://twitter.com/SBousseaden/status/1278977301745741825
author: Florian Roth (Nextron Systems)
date: 2020-07-03
modified: 2022-06-02
tags:
- attack.command-and-control
- attack.t1105
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith: '\svchost.exe'
TargetFilename|contains: '\Personalization\LockScreenImage\'
filter1:
TargetFilename|contains: 'C:\Windows\'
filter2:
TargetFilename|contains:
- '.jpg'
- '.jpeg'
- '.png'
condition: selection and not filter1 and not filter2
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious DotNET CLR Usage Log Artifact
Detects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context.
view Sigma YAML
title: Suspicious DotNET CLR Usage Log Artifact
id: e0b06658-7d1d-4cd3-bf15-03467507ff7c
related:
- id: 4508a70e-97ef-4300-b62b-ff27992990ea
type: derived
- id: e4b63079-6198-405c-abd7-3fe8b0ce3263
type: obsolete
status: test
description: Detects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context.
references:
- https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/
- https://github.com/olafhartong/sysmon-modular/blob/fa1ae53132403d262be2bbd7f17ceea7e15e8c78/11_file_create/include_dotnet.xml
- https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008
- https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html
author: frack113, omkar72, oscd.community, Wojciech Lesicki
date: 2022-11-18
modified: 2023-02-23
tags:
- attack.stealth
- attack.t1218
logsource:
category: file_event
product: windows
definition: 'Requirements: UsageLogs folder must be monitored by the sysmon configuration'
detection:
selection:
TargetFilename|endswith:
- '\UsageLogs\cmstp.exe.log'
- '\UsageLogs\cscript.exe.log'
- '\UsageLogs\mshta.exe.log'
- '\UsageLogs\msxsl.exe.log'
- '\UsageLogs\regsvr32.exe.log'
- '\UsageLogs\rundll32.exe.log'
- '\UsageLogs\svchost.exe.log'
- '\UsageLogs\wscript.exe.log'
- '\UsageLogs\wmic.exe.log'
filter_main_rundll32:
# This filter requires the event to be enriched by additional information such as ParentImage and CommandLine activity
ParentImage|endswith: '\MsiExec.exe'
ParentCommandLine|contains: ' -Embedding'
Image|endswith: '\rundll32.exe'
CommandLine|contains|all:
- 'Temp'
- 'zzzzInvokeManagedCustomActionOutOfProc'
condition: selection and not 1 of filter_main_*
falsepositives:
- Rundll32.exe with zzzzInvokeManagedCustomActionOutOfProc in command line and msiexec.exe as parent process - https://twitter.com/SBousseaden/status/1388064061087260675
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious Double Extension File Execution
Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns
view Sigma YAML
title: Suspicious Double Extension File Execution
id: 1cdd9a09-06c9-4769-99ff-626e2b3991b8
related:
- id: 5e6a80c8-2d45-4633-9ef4-fa2671a39c5c # ParentImage/ParentCommandLine
type: similar
status: stable
description: Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns
references:
- https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html
- https://twitter.com/blackorbird/status/1140519090961825792
- https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites
author: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems)
date: 2019-06-26
modified: 2025-05-30
tags:
- attack.initial-access
- attack.t1566.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- ' .exe'
- '______.exe'
- '.doc.exe'
- '.doc.js'
- '.docx.exe'
- '.docx.js'
- '.gif.exe'
- '.jpeg.exe'
- '.jpg.exe'
- '.mkv.exe'
- '.mov.exe'
- '.mp3.exe'
- '.mp4.exe'
- '.pdf.exe'
- '.pdf.js'
- '.png.exe'
- '.ppt.exe'
- '.ppt.js'
- '.pptx.exe'
- '.pptx.js'
- '.rtf.exe'
- '.rtf.js'
- '.svg.exe'
- '.txt.exe'
- '.txt.js'
- '.xls.exe'
- '.xls.js'
- '.xlsx.exe'
- '.xlsx.js'
- '⠀⠀⠀⠀⠀⠀.exe' # Unicode Space Character: Braille Pattern Blank (Unicode: U+2800)
CommandLine|contains:
- ' .exe'
- '______.exe'
- '.doc.exe'
- '.doc.js'
- '.docx.exe'
- '.docx.js'
- '.gif.exe'
- '.jpeg.exe'
- '.jpg.exe'
- '.mkv.exe'
- '.mov.exe'
- '.mp3.exe'
- '.mp4.exe'
- '.pdf.exe'
- '.pdf.js'
- '.png.exe'
- '.ppt.exe'
- '.ppt.js'
- '.pptx.exe'
- '.pptx.js'
- '.rtf.exe'
- '.rtf.js'
- '.svg.exe'
- '.txt.exe'
- '.txt.js'
- '.xls.exe'
- '.xls.js'
- '.xlsx.exe'
- '.xlsx.js'
- '⠀⠀⠀⠀⠀⠀.exe' # Unicode Space Character: Braille Pattern Blank (Unicode: U+2800)
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious Double Extension Files
Detects dropped files with double extensions, which is often used by malware as a method to abuse the fact that Windows hide default extensions by default.
view Sigma YAML
title: Suspicious Double Extension Files
id: b4926b47-a9d7-434c-b3a0-adc3fa0bd13e
related:
- id: 1cdd9a09-06c9-4769-99ff-626e2b3991b8
type: derived
- id: 3215aa19-f060-4332-86d5-5602511f3ca8
type: similar
status: test
description: Detects dropped files with double extensions, which is often used by malware as a method to abuse the fact that Windows hide default extensions by default.
references:
- https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/
- https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations
- https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles
- https://twitter.com/malwrhunterteam/status/1235135745611960321
- https://twitter.com/luc4m/status/1073181154126254080
- https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites
- https://vipre.com/blog/svg-phishing-attacks-the-new-trick-in-the-cybercriminals-playbook/
author: Nasreddine Bencherchali (Nextron Systems), frack113
date: 2022-06-19
modified: 2026-03-31
tags:
- attack.stealth
- attack.t1036.007
logsource:
category: file_event
product: windows
detection:
selection_gen:
TargetFilename|endswith:
- '.exe'
- '.iso'
- '.rar'
- '.svg'
- '.zip'
# - '.lnk' # legitimate links can happen just anywhere
TargetFilename|contains:
- '.doc.'
- '.docx.'
- '.gif.'
- '.jpeg.'
- '.jpg.'
- '.mp3.'
- '.mp4.'
- '.pdf.'
- '.png.'
- '.ppt.'
- '.pptx.'
- '.rtf.'
- '.svg.'
- '.txt.'
- '.xls.'
- '.xlsx.'
selection_exe:
TargetFilename|endswith:
- '.rar.exe'
- '.zip.exe'
# Note: If you wanna keep using the ".lnk" extension. You might uncomment this filter and add additional locations
# filter_main_lnk:
# TargetFilename|contains:
# - '\AppData\Roaming\Microsoft\Office\Recent\'
# - '\AppData\Roaming\Microsoft\Windows\Recent\'
filter_icons_linux:
TargetFilename|startswith: '/usr/share/icons/'
condition: 1 of selection_* and not 1 of filter_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious Download and Execute Pattern via Curl/Wget
Detects suspicious use of command-line tools such as curl or wget to download remote
content - particularly scripts - into temporary directories (e.g., /dev/shm, /tmp), followed by
immediate execution, indicating potential malicious activity. This pattern is commonly used
by malicious scripts, stagers, or downloaders in fileless or multi-stage Linux attacks.
view Sigma YAML
title: Suspicious Download and Execute Pattern via Curl/Wget
id: a2d9e2f3-0f43-4c7a-bcd9-9acfc0d723aa
status: experimental
description: |
Detects suspicious use of command-line tools such as curl or wget to download remote
content - particularly scripts - into temporary directories (e.g., /dev/shm, /tmp), followed by
immediate execution, indicating potential malicious activity. This pattern is commonly used
by malicious scripts, stagers, or downloaders in fileless or multi-stage Linux attacks.
references:
- https://gtfobins.github.io/gtfobins/wget/
- https://gtfobins.github.io/gtfobins/curl/
author: Aayush Gupta
date: 2025-06-17
tags:
- attack.execution
- attack.t1059.004
- attack.t1203
logsource:
category: process_creation
product: linux
detection:
selection_downloader:
CommandLine|contains:
- '/curl'
- '/wget'
selection_tmp:
CommandLine|contains:
- '/tmp/'
- '/dev/shm/'
selection_executor:
CommandLine|contains: 'sh -c'
condition: all of selection_*
falsepositives:
- System update scripts using temporary files
- Installer scripts or automated provisioning tools
level: high
Convert to SIEM query
high
Strong
High FP
Suspicious Download from Office Domain
Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents
view Sigma YAML
title: Suspicious Download from Office Domain
id: 00d49ed5-4491-4271-a8db-650a4ef6f8c1
status: test
description: Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents
references:
- https://twitter.com/an0n_r0/status/1474698356635193346?s=12
- https://twitter.com/mrd0x/status/1475085452784844803?s=12
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2021-12-27
modified: 2022-08-02
tags:
- attack.command-and-control
- attack.resource-development
- attack.t1105
- attack.t1608
logsource:
product: windows
category: process_creation
detection:
selection_download:
- Image|endswith:
- '\curl.exe'
- '\wget.exe'
- CommandLine|contains:
- 'Invoke-WebRequest'
- 'iwr '
- 'curl '
- 'wget '
- 'Start-BitsTransfer'
- '.DownloadFile('
- '.DownloadString('
selection_domains:
CommandLine|contains:
- 'https://attachment.outlook.live.net/owa/'
- 'https://onenoteonlinesync.onenote.com/onenoteonlinesync/'
condition: all of selection_*
falsepositives:
- Scripts or tools that download attachments from these domains (OneNote, Outlook 365)
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call
Detects suspicious base64 encoded and obfuscated "LOAD" keyword used in .NET "reflection.assembly"
view Sigma YAML
title: Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call
id: 9c0295ce-d60d-40bd-bd74-84673b7592b1
related:
- id: 62b7ccc9-23b4-471e-aa15-6da3663c4d59
type: similar
status: test
description: Detects suspicious base64 encoded and obfuscated "LOAD" keyword used in .NET "reflection.assembly"
references:
- https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar
- https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
- https://learn.microsoft.com/en-us/dotnet/api/system.appdomain.load?view=net-7.0
author: pH-T (Nextron Systems)
date: 2022-03-01
modified: 2023-04-06
tags:
- attack.execution
- attack.stealth
- attack.t1059.001
- attack.t1027
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
# ::("L"+"oad")
- 'OgA6ACgAIgBMACIAKwAiAG8AYQBkACIAKQ'
- 'oAOgAoACIATAAiACsAIgBvAGEAZAAiACkA'
- '6ADoAKAAiAEwAIgArACIAbwBhAGQAIgApA'
# ::("Lo"+"ad")
- 'OgA6ACgAIgBMAG8AIgArACIAYQBkACIAKQ'
- 'oAOgAoACIATABvACIAKwAiAGEAZAAiACkA'
- '6ADoAKAAiAEwAbwAiACsAIgBhAGQAIgApA'
# ::("Loa"+"d")
- 'OgA6ACgAIgBMAG8AYQAiACsAIgBkACIAKQ'
- 'oAOgAoACIATABvAGEAIgArACIAZAAiACkA'
- '6ADoAKAAiAEwAbwBhACIAKwAiAGQAIgApA'
# ::('L'+'oad')
- 'OgA6ACgAJwBMACcAKwAnAG8AYQBkACcAKQ'
- 'oAOgAoACcATAAnACsAJwBvAGEAZAAnACkA'
- '6ADoAKAAnAEwAJwArACcAbwBhAGQAJwApA'
# ::('Lo'+'ad')
- 'OgA6ACgAJwBMAG8AJwArACcAYQBkACcAKQ'
- 'oAOgAoACcATABvACcAKwAnAGEAZAAnACkA'
- '6ADoAKAAnAEwAbwAnACsAJwBhAGQAJwApA'
# ::('Loa'+'d')
- 'OgA6ACgAJwBMAG8AYQAnACsAJwBkACcAKQ'
- 'oAOgAoACcATABvAGEAJwArACcAZAAnACkA'
- '6ADoAKAAnAEwAbwBhACcAKwAnAGQAJwApA'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious Environment Variable Has Been Registered
Detects the creation of user-specific or system-wide environment variables via the registry. Which contains suspicious commands and strings
view Sigma YAML
title: Suspicious Environment Variable Has Been Registered
id: 966315ef-c5e1-4767-ba25-fce9c8de3660
status: test
description: Detects the creation of user-specific or system-wide environment variables via the registry. Which contains suspicious commands and strings
references:
- https://infosec.exchange/@sbousseaden/109542254124022664
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-20
modified: 2023-08-17
tags:
- attack.persistence
- attack.stealth
logsource:
product: windows
category: registry_set
detection:
selection_main:
TargetObject|contains: '\Environment\'
selection_details:
- Details:
- 'powershell'
- 'pwsh'
- Details|contains:
# Add more suspicious strings in env variables below
- '\AppData\Local\Temp\'
- 'C:\Users\Public\'
# Base64 MZ Header
- 'TVqQAAMAAAAEAAAA' # MZ..........
- 'TVpQAAIAAAAEAA8A'
- 'TVqAAAEAAAAEABAA'
- 'TVoAAAAAAAAAAAAA'
- 'TVpTAQEAAAAEAAAA'
# Base64 Invoke- (UTF-8)
- 'SW52b2tlL'
- 'ludm9rZS'
- 'JbnZva2Ut'
# Base64 Invoke- (UTF-16LE)
- 'SQBuAHYAbwBrAGUALQ'
- 'kAbgB2AG8AawBlAC0A'
- 'JAG4AdgBvAGsAZQAtA'
- Details|startswith: # https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639
- 'SUVY'
- 'SQBFAF'
- 'SQBuAH'
- 'cwBhA'
- 'aWV4'
- 'aQBlA'
- 'R2V0'
- 'dmFy'
- 'dgBhA'
- 'dXNpbm'
- 'H4sIA'
- 'Y21k'
- 'cABhAH'
- 'Qzpc'
- 'Yzpc'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious Executable File Creation
Detect creation of suspicious executable file names.
Some strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths.
view Sigma YAML
title: Suspicious Executable File Creation
id: 74babdd6-a758-4549-9632-26535279e654
status: test
description: |
Detect creation of suspicious executable file names.
Some strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths.
references:
- https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae
- https://app.any.run/tasks/76c69e2d-01e8-49d9-9aea-fb7cc0c4d3ad/
author: frack113
date: 2022-09-05
modified: 2023-12-11
tags:
- attack.stealth
- attack.t1564
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith:
- ':\$Recycle.Bin.exe'
- ':\Documents and Settings.exe'
- ':\MSOCache.exe'
- ':\PerfLogs.exe'
- ':\Recovery.exe'
- '.bat.exe'
- '.sys.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious Execution From Outlook Temporary Folder
Detects a suspicious program execution in Outlook temp folder
view Sigma YAML
title: Suspicious Execution From Outlook Temporary Folder
id: a018fdc3-46a3-44e5-9afb-2cd4af1d4b39
status: test
description: Detects a suspicious program execution in Outlook temp folder
author: Florian Roth (Nextron Systems)
references:
- Internal Research
date: 2019-10-01
modified: 2022-10-09
tags:
- attack.initial-access
- attack.t1566.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|contains: '\Temporary Internet Files\Content.Outlook\'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious Execution Location Of Wermgr.EXE
Detects suspicious Windows Error Reporting manager (wermgr.exe) execution location.
view Sigma YAML
title: Suspicious Execution Location Of Wermgr.EXE
id: 5394fcc7-aeb2-43b5-9a09-cac9fc5edcd5
related:
- id: 396f6630-f3ac-44e3-bfc8-1b161bc00c4e
type: similar
status: test
description: Detects suspicious Windows Error Reporting manager (wermgr.exe) execution location.
references:
- https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html
- https://www.echotrail.io/insights/search/wermgr.exe
- https://github.com/binderlabs/DirCreate2System
author: Florian Roth (Nextron Systems)
date: 2022-10-14
modified: 2023-08-23
tags:
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\wermgr.exe'
filter_main_legit_location:
Image|startswith:
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
- 'C:\Windows\WinSxS\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious Execution Of Renamed Sysinternals Tools - Registry
Detects the creation of the "accepteula" key related to the Sysinternals tools being created from executables with the wrong name (e.g. a renamed Sysinternals tool)
view Sigma YAML
title: Suspicious Execution Of Renamed Sysinternals Tools - Registry
id: f50f3c09-557d-492d-81db-9064a8d4e211
related:
- id: 25ffa65d-76d8-4da5-a832-3f2b0136e133
type: derived
- id: 8023f872-3f1d-4301-a384-801889917ab4
type: similar
status: test
description: Detects the creation of the "accepteula" key related to the Sysinternals tools being created from executables with the wrong name (e.g. a renamed Sysinternals tool)
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-24
modified: 2025-10-26
tags:
- attack.resource-development
- attack.t1588.002
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|contains:
# Please add new values while respecting the alphabetical order
- '\Active Directory Explorer'
- '\Handle'
- '\LiveKd'
- '\ProcDump'
- '\Process Explorer'
- '\PsExec'
- '\PsLoggedon'
- '\PsLoglist'
- '\PsPasswd'
- '\PsPing'
- '\PsService'
- '\SDelete'
TargetObject|endswith: '\EulaAccepted'
filter:
Image|endswith:
# Please add new values while respecting the alphabetical order
- '\ADExplorer.exe'
- '\ADExplorer64.exe'
- '\handle.exe'
- '\handle64.exe'
- '\livekd.exe'
- '\livekd64.exe'
- '\procdump.exe'
- '\procdump64.exe'
- '\procexp.exe'
- '\procexp64.exe'
- '\PsExec.exe'
- '\PsExec64.exe'
- '\PsLoggedon.exe'
- '\PsLoggedon64.exe'
- '\psloglist.exe'
- '\psloglist64.exe'
- '\pspasswd.exe'
- '\pspasswd64.exe'
- '\PsPing.exe'
- '\PsPing64.exe'
- '\PsService.exe'
- '\PsService64.exe'
- '\sdelete.exe'
condition: selection and not filter
falsepositives:
- Unlikely
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_pua_sysinternals_renamed_execution_via_eula/info.yml
Convert to SIEM query
high
Moderate
Medium FP
Suspicious Explorer Process with Whitespace Padding - ClickFix/FileFix
Detects process creation with suspicious whitespace padding followed by a '#' character, which may indicate ClickFix or FileFix techniques used to conceal malicious commands from visual inspection.
ClickFix and FileFix are social engineering attack techniques where adversaries distribute phishing documents or malicious links that deceive users into opening the Windows Run dialog box or File Explorer search bar.
The victims are then instructed to paste commands from their clipboard, which contain extensive whitespace padding using various Unicode space characters to push the actual malicious command far to the right, effectively hiding it from immediate view.
view Sigma YAML
title: Suspicious Explorer Process with Whitespace Padding - ClickFix/FileFix
id: 3ae9974a-eb09-4044-8e70-8980a50c12c8
related:
- id: 8f2a5c3d-9e4b-4a7c-8d1f-2e5a6b9c3d7e
type: similar
- id: 7a1b4c5e-8f3d-4b9a-7c2e-1f4a5b8c6d9e
type: similar
status: experimental
description: |
Detects process creation with suspicious whitespace padding followed by a '#' character, which may indicate ClickFix or FileFix techniques used to conceal malicious commands from visual inspection.
ClickFix and FileFix are social engineering attack techniques where adversaries distribute phishing documents or malicious links that deceive users into opening the Windows Run dialog box or File Explorer search bar.
The victims are then instructed to paste commands from their clipboard, which contain extensive whitespace padding using various Unicode space characters to push the actual malicious command far to the right, effectively hiding it from immediate view.
references:
- https://expel.com/blog/cache-smuggling-when-a-picture-isnt-a-thousand-words/
- https://mrd0x.com/filefix-clickfix-alternative/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-04
modified: 2025-11-26
tags:
- attack.execution
- attack.stealth
- attack.t1204.004
- attack.t1027.010
logsource:
category: process_creation
product: windows
detection:
selection_explorer:
ParentImage|endswith: '\explorer.exe'
CommandLine|contains: '#'
selection_space_variation:
CommandLine|contains:
- ' ' # En Quad (U+2000)
- ' ' # Em Quad (U+2001)
- ' ' # En Space (U+2002)
- ' ' # Em Space (U+2003)
- ' ' # Three-Per-Em Space (U+2004)
- ' ' # Four-Per-Em Space (U+2005)
- ' ' # Six-Per-Em Space (U+2006)
- ' ' # Figure Space (U+2007)
- ' ' # Punctuation Space (U+2008)
- ' ' # Thin Space (U+2009)
- ' ' # Hair Space (U+200A)
- ' ' # No-Break Space (U+00A0)
- ' ' # Normal space (0x20)
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
High FP
Suspicious File Created Via OneNote Application
Detects suspicious files created via the OneNote application. This could indicate a potential malicious ".one"/".onepkg" file was executed as seen being used in malware activity in the wild
view Sigma YAML
title: Suspicious File Created Via OneNote Application
id: fcc6d700-68d9-4241-9a1a-06874d621b06
status: test
description: Detects suspicious files created via the OneNote application. This could indicate a potential malicious ".one"/".onepkg" file was executed as seen being used in malware activity in the wild
references:
- https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/
- https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/
- https://twitter.com/MaD_c4t/status/1623414582382567424
- https://labs.withsecure.com/publications/detecting-onenote-abuse
- https://www.trustedsec.com/blog/new-attacks-old-tricks-how-onenote-malware-is-evolving/
- https://app.any.run/tasks/17f2d378-6d11-4d6f-8340-954b04f35e83/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-09
modified: 2023-02-27
tags:
- attack.stealth
logsource:
category: file_event
product: windows
detection:
selection:
Image|endswith:
- '\onenote.exe'
- '\onenotem.exe'
- '\onenoteim.exe'
TargetFilename|contains: '\AppData\Local\Temp\OneNote\'
TargetFilename|endswith:
# TODO: Add more suspicious extensions
- '.bat'
- '.chm'
- '.cmd'
- '.dll'
- '.exe'
- '.hta'
- '.htm'
- '.html'
- '.js'
- '.lnk'
- '.ps1'
- '.vbe'
- '.vbs'
- '.wsf'
condition: selection
falsepositives:
- False positives should be very low with the extensions list cited. Especially if you don't heavily utilize OneNote.
- Occasional FPs might occur if OneNote is used internally to share different embedded documents
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious File Created by ArcSOC.exe
Detects instances where the ArcGIS Server process ArcSOC.exe, which hosts REST services running on an ArcGIS
server, creates a file with suspicious file type, indicating that it may be an executable, script file,
or otherwise unusual.
view Sigma YAML
title: Suspicious File Created by ArcSOC.exe
id: e890acee-d488-420e-8f20-d9b19b3c3d43
status: experimental
description: |
Detects instances where the ArcGIS Server process ArcSOC.exe, which hosts REST services running on an ArcGIS
server, creates a file with suspicious file type, indicating that it may be an executable, script file,
or otherwise unusual.
references:
- https://reliaquest.com/blog/threat-spotlight-inside-flax-typhoons-arcgis-compromise/
- https://enterprise.arcgis.com/en/server/12.0/administer/windows/inside-an-arcgis-server-site.htm
author: Micah Babinski
date: 2025-11-25
tags:
- attack.command-and-control
- attack.persistence
- attack.initial-access
- attack.execution
- attack.stealth
- attack.t1127
- attack.t1105
- attack.t1133
logsource:
category: file_event
product: windows
detection:
selection:
Image|endswith: '\ArcSOC.exe'
TargetFilename|endswith:
- '.ahk'
- '.aspx'
- '.au3'
- '.bat'
- '.cmd'
- '.dll'
- '.exe'
- '.hta'
- '.js'
- '.ps1'
- '.py'
- '.vbe'
- '.vbs'
- '.wsf'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious File Created in Outlook Temporary Directory
Detects the creation of files with suspicious file extensions in the temporary directory that Outlook uses when opening attachments.
This can be used to detect spear-phishing campaigns that use suspicious files as attachments, which may contain malicious code.
view Sigma YAML
title: Suspicious File Created in Outlook Temporary Directory
id: fabb0e80-030c-4e3e-a104-d09676991ac3
related:
- id: f748c45a-f8d3-4e6f-b617-fe176f695b8f
type: obsolete
status: experimental
description: |
Detects the creation of files with suspicious file extensions in the temporary directory that Outlook uses when opening attachments.
This can be used to detect spear-phishing campaigns that use suspicious files as attachments, which may contain malicious code.
references:
- https://vipre.com/blog/svg-phishing-attacks-the-new-trick-in-the-cybercriminals-playbook/
- https://thecyberexpress.com/rogue-rdp-files-used-in-ukraine-cyberattacks/
- https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/
author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-07-22
tags:
- attack.initial-access
- attack.t1566.001
logsource:
product: windows
category: file_event
detection:
selection_extension:
TargetFilename|endswith:
- '.cpl'
- '.hta'
- '.iso'
- '.rdp'
- '.svg'
- '.vba'
- '.vbe'
- '.vbs'
selection_location:
- TargetFilename|contains:
- '\AppData\Local\Packages\Microsoft.Outlook_'
- '\AppData\Local\Microsoft\Olk\Attachments\'
- TargetFilename|contains|all:
- '\AppData\Local\Microsoft\Windows\'
- '\Content.Outlook\'
condition: all of selection_*
falsepositives:
- Opening of headers or footers in email signatures that include SVG images or legitimate SVG attachments
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious File Creation Activity From Fake Recycle.Bin Folder
Detects file write event from/to a fake recycle bin folder that is often used as a staging directory for malware
view Sigma YAML
title: Suspicious File Creation Activity From Fake Recycle.Bin Folder
id: cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca
related:
- id: 5ce0f04e-3efc-42af-839d-5b3a543b76c0
type: derived
status: test
description: Detects file write event from/to a fake recycle bin folder that is often used as a staging directory for malware
references:
- https://www.mandiant.com/resources/blog/infected-usb-steal-secrets
- https://unit42.paloaltonetworks.com/cloaked-ursa-phishing/
author: X__Junior (Nextron Systems)
date: 2023-07-12
modified: 2023-12-11
tags:
- attack.persistence
- attack.stealth
logsource:
category: file_event
product: windows
detection:
selection:
- Image|contains:
# e.g. C:\$RECYCLER.BIN
- 'RECYCLERS.BIN\'
- 'RECYCLER.BIN\'
- TargetFilename|contains:
# e.g. C:\$RECYCLER.BIN
- 'RECYCLERS.BIN\'
- 'RECYCLER.BIN\'
condition: selection
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec/info.yml
Convert to SIEM query
high
Moderate
Medium FP
Suspicious File Creation In Uncommon AppData Folder
Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs
view Sigma YAML
title: Suspicious File Creation In Uncommon AppData Folder
id: d7b50671-d1ad-4871-aa60-5aa5b331fe04
status: test
description: Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-05
modified: 2023-02-23
tags:
- attack.execution
- attack.stealth
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|startswith: 'C:\Users\'
TargetFilename|contains: '\AppData\'
TargetFilename|endswith:
# Add more as needed
- '.bat'
- '.cmd'
- '.cpl'
- '.dll'
- '.exe'
- '.hta'
- '.iso'
- '.lnk'
- '.msi'
- '.ps1'
- '.psm1'
- '.scr'
- '.vbe'
- '.vbs'
filter_main:
TargetFilename|startswith: 'C:\Users\'
TargetFilename|contains:
- '\AppData\Local\'
- '\AppData\LocalLow\'
- '\AppData\Roaming\'
condition: selection and not filter_main
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious File Write to SharePoint Layouts Directory
Detects suspicious file writes to SharePoint layouts directory which could indicate webshell activity or post-exploitation.
This behavior has been observed in the exploitation of SharePoint vulnerabilities such as CVE-2025-49704, CVE-2025-49706 or CVE-2025-53770.
view Sigma YAML
title: Suspicious File Write to SharePoint Layouts Directory
id: 1f0489be-b496-4ddf-b3a9-5900f2044e9c
status: experimental
description: |
Detects suspicious file writes to SharePoint layouts directory which could indicate webshell activity or post-exploitation.
This behavior has been observed in the exploitation of SharePoint vulnerabilities such as CVE-2025-49704, CVE-2025-49706 or CVE-2025-53770.
references:
- https://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/
- https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-07-24
tags:
- attack.initial-access
- attack.t1190
- attack.persistence
- attack.t1505.003
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith:
- '\cmd.exe'
- '\powershell_ise.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\w3wp.exe'
TargetFilename|startswith:
- 'C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\'
- 'C:\Program Files (x86)\Common Files\Microsoft Shared\Web Server Extensions\'
TargetFilename|contains:
- '\15\TEMPLATE\LAYOUTS\'
- '\16\TEMPLATE\LAYOUTS\'
TargetFilename|endswith:
- '.asax'
- '.ascx'
- '.ashx'
- '.asmx'
- '.asp'
- '.aspx'
- '.bat'
- '.cmd'
- '.cer'
- '.config'
- '.hta'
- '.js'
- '.jsp'
- '.jspx'
- '.php'
- '.ps1'
- '.vbs'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious FileFix Execution Pattern
Detects suspicious FileFix execution patterns where users are tricked into running malicious commands through browser file upload dialog manipulation.
This attack typically begins when users visit malicious websites impersonating legitimate services or news platforms,
which may display fake CAPTCHA challenges or direct instructions to open file explorer and paste clipboard content.
The clipboard content usually contains commands that download and execute malware, such as information stealing tools.
view Sigma YAML
title: Suspicious FileFix Execution Pattern
id: b5b29e4e-31fa-4fdf-b058-296e7a1aa0c2
related:
- id: 4fee3d51-8069-4a4c-a0f7-924fcaff2c70
type: similar
- id: 4be03877-d5b6-4520-85c9-a5911c0a656c
type: obsolete
status: experimental
description: |
Detects suspicious FileFix execution patterns where users are tricked into running malicious commands through browser file upload dialog manipulation.
This attack typically begins when users visit malicious websites impersonating legitimate services or news platforms,
which may display fake CAPTCHA challenges or direct instructions to open file explorer and paste clipboard content.
The clipboard content usually contains commands that download and execute malware, such as information stealing tools.
references:
- https://mrd0x.com/filefix-clickfix-alternative/
- https://expel.com/blog/cache-smuggling-when-a-picture-isnt-a-thousand-words/ # phishing lure directly asking users to open file explorer and paste command
- https://blog.checkpoint.com/research/filefix-the-new-social-engineering-attack-building-on-clickfix-tested-in-the-wild/
author: 0xFustang, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-24
tags:
- attack.execution
- attack.t1204.004
logsource:
category: process_creation
product: windows
detection:
selection_exec_parent:
# This is case where phishing pages trick users to paste commands in browser file upload dialog
ParentImage|endswith:
- '\brave.exe'
- '\chrome.exe'
- '\firefox.exe'
- '\msedge.exe'
CommandLine|contains: '#'
selection_cli_lolbin:
CommandLine|contains:
- '%comspec%'
- 'bitsadmin'
- 'certutil'
- 'cmd'
- 'cscript'
- 'curl'
- 'finger'
- 'mshta'
- 'powershell'
- 'pwsh'
- 'regsvr32'
- 'rundll32'
- 'schtasks'
- 'wget'
- 'wscript'
selection_cli_captcha:
CommandLine|contains:
- 'account'
- 'anti-bot'
- 'botcheck'
- 'captcha'
- 'challenge'
- 'confirmation'
- 'fraud'
- 'human'
- 'identification'
- 'identificator'
- 'identity'
- 'robot'
- 'validation'
- 'verification'
- 'verify'
condition: selection_exec_parent and 1 of selection_cli_*
falsepositives:
- Legitimate use of PowerShell or other utilities launched from browser extensions or automation tools
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious Filename with Embedded Base64 Commands
Detects files with specially crafted filenames that embed Base64-encoded bash payloads designed to execute when processed by shell scripts.
These filenames exploit shell interpretation quirks to trigger hidden commands, a technique observed in VShell malware campaigns.
view Sigma YAML
title: Suspicious Filename with Embedded Base64 Commands
id: 179b3686-6271-4d87-807d-17d843a8af73
status: experimental
description: |
Detects files with specially crafted filenames that embed Base64-encoded bash payloads designed to execute when processed by shell scripts.
These filenames exploit shell interpretation quirks to trigger hidden commands, a technique observed in VShell malware campaigns.
references:
- https://www.trellix.com/blogs/research/the-silent-fileless-threat-of-vshell/
author: '@kostastsale'
date: 2025-11-22
tags:
- attack.execution
- attack.stealth
- attack.t1059.004
- attack.t1027
logsource:
product: linux
category: file_event
detection:
selection:
TargetFilename|contains:
- '{echo'
- '{base64,-d}'
condition: selection
falsepositives:
- Legitimate files with similar naming patterns (very unlikely).
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious GUP Usage
Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks
view Sigma YAML
title: Suspicious GUP Usage
id: 0a4f6091-223b-41f6-8743-f322ec84930b
status: test
description: Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks
references:
- https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html
author: Florian Roth (Nextron Systems)
date: 2019-02-06
modified: 2022-08-13
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\GUP.exe'
filter_programfiles:
Image|endswith:
- '\Program Files\Notepad++\updater\GUP.exe'
- '\Program Files (x86)\Notepad++\updater\GUP.exe'
filter_user:
Image|contains: '\Users\'
Image|endswith:
- '\AppData\Local\Notepad++\updater\GUP.exe'
- '\AppData\Roaming\Notepad++\updater\GUP.exe'
condition: selection and not 1 of filter_*
falsepositives:
- Execution of tools named GUP.exe and located in folders different than Notepad++\updater
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious Get-Variable.exe Creation
Get-Variable is a valid PowerShell cmdlet
WindowsApps is by default in the path where PowerShell is executed.
So when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet.
view Sigma YAML
title: Suspicious Get-Variable.exe Creation
id: 0c3fac91-5627-46e8-a6a8-a0d7b9b8ae1b
status: test
description: |
Get-Variable is a valid PowerShell cmdlet
WindowsApps is by default in the path where PowerShell is executed.
So when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet.
references:
- https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/
- https://www.joesandbox.com/analysis/465533/0/html
author: frack113
date: 2022-04-23
tags:
- attack.privilege-escalation
- attack.persistence
- attack.stealth
- attack.t1546
- attack.t1027
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith: 'Local\Microsoft\WindowsApps\Get-Variable.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious GrpConv Execution
Detects the suspicious execution of a utility to convert Windows 3.x .grp files or for persistence purposes by malicious software or actors
view Sigma YAML
title: Suspicious GrpConv Execution
id: f14e169e-9978-4c69-acb3-1cff8200bc36
status: test
description: Detects the suspicious execution of a utility to convert Windows 3.x .grp files or for persistence purposes by malicious software or actors
references:
- https://twitter.com/0gtweet/status/1526833181831200770
author: Florian Roth (Nextron Systems)
date: 2022-05-19
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- 'grpconv.exe -o'
- 'grpconv -o'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious HWP Sub Processes
Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation
view Sigma YAML
title: Suspicious HWP Sub Processes
id: 023394c4-29d5-46ab-92b8-6a534c6f447b
status: test
description: Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation
references:
- https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/
- https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1
- https://twitter.com/cyberwar_15/status/1187287262054076416
- https://blog.alyac.co.kr/1901
- https://en.wikipedia.org/wiki/Hangul_(word_processor)
author: Florian Roth (Nextron Systems)
date: 2019-10-24
modified: 2021-11-27
tags:
- attack.initial-access
- attack.t1566.001
- attack.execution
- attack.t1203
- attack.t1059.003
- attack.g0032
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\Hwp.exe'
Image|endswith: '\gbb.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious IIS Module Registration
Detects a suspicious IIS module registration as described in Microsoft threat report on IIS backdoors
view Sigma YAML
title: Suspicious IIS Module Registration
id: 043c4b8b-3a54-4780-9682-081cb6b8185c
status: test
description: Detects a suspicious IIS module registration as described in Microsoft threat report on IIS backdoors
references:
- https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/
author: Florian Roth (Nextron Systems), Microsoft (idea)
date: 2022-08-04
modified: 2023-01-23
tags:
- attack.persistence
- attack.t1505.004
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\w3wp.exe'
selection_cli_1:
CommandLine|contains: 'appcmd.exe add module'
selection_cli_2:
CommandLine|contains: ' system.enterpriseservices.internal.publish'
Image|endswith: '\powershell.exe'
selection_cli_3:
CommandLine|contains|all:
- 'gacutil'
- ' /I'
condition: selection_parent and 1 of selection_cli_*
falsepositives:
- Administrative activity
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious Interactive PowerShell as SYSTEM
Detects the creation of files that indicator an interactive use of PowerShell in the SYSTEM user context
view Sigma YAML
title: Suspicious Interactive PowerShell as SYSTEM
id: 5b40a734-99b6-4b98-a1d0-1cea51a08ab2
status: test
description: Detects the creation of files that indicator an interactive use of PowerShell in the SYSTEM user context
references:
- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/PowerSploit_Invoke-Mimikatz.htm
author: Florian Roth (Nextron Systems)
date: 2021-12-07
modified: 2022-08-13
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename:
- 'C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt'
- 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive'
condition: selection
falsepositives:
- Administrative activity
- PowerShell scripts running as SYSTEM user
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious Invocation of Shell via AWK - Linux
Detects the execution of "awk" or it's sibling commands, to invoke a shell using the system() function.
This behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation.
view Sigma YAML
title: Suspicious Invocation of Shell via AWK - Linux
id: 8c1a5675-cb85-452f-a298-b01b22a51856
status: test
description: |
Detects the execution of "awk" or it's sibling commands, to invoke a shell using the system() function.
This behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation.
references:
- https://gtfobins.github.io/gtfobins/awk/#shell
- https://gtfobins.github.io/gtfobins/gawk/#shell
- https://gtfobins.github.io/gtfobins/nawk/#shell
- https://gtfobins.github.io/gtfobins/mawk/#shell
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
date: 2024-09-02
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith:
- '/awk'
- '/gawk'
- '/mawk'
- '/nawk'
CommandLine|contains: 'BEGIN {system'
selection_cli:
CommandLine|contains:
- '/bin/bash'
- '/bin/dash'
- '/bin/fish'
- '/bin/sh'
- '/bin/zsh'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious Invocation of Shell via Rsync
Detects the execution of a shell as sub process of "rsync" without the expected command line flag "-e" being used, which could be an indication of exploitation as described in CVE-2024-12084. This behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation.
view Sigma YAML
title: Suspicious Invocation of Shell via Rsync
id: 297241f3-8108-4b3a-8c15-2dda9f844594
status: experimental
description: |
Detects the execution of a shell as sub process of "rsync" without the expected command line flag "-e" being used, which could be an indication of exploitation as described in CVE-2024-12084. This behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation.
references:
- https://sysdig.com/blog/detecting-and-mitigating-cve-2024-12084-rsync-remote-code-execution/
- https://gist.github.com/Neo23x0/a20436375a1e26524931dd8ea1a3af10
author: Florian Roth
date: 2025-01-18
tags:
- attack.execution
- attack.t1059
- attack.t1203
logsource:
category: process_creation
product: linux
detection:
selection:
ParentImage|endswith:
- '/rsync'
- '/rsyncd'
Image|endswith:
- '/ash'
- '/bash'
- '/csh'
- '/dash'
- '/ksh'
- '/sh'
- '/tcsh'
- '/zsh'
filter_main_expected:
CommandLine|contains: ' -e '
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious Java Children Processes
Detects java process spawning suspicious children
view Sigma YAML
title: Suspicious Java Children Processes
id: d292e0af-9a18-420c-9525-ec0ac3936892
status: test
description: Detects java process spawning suspicious children
references:
- https://www.tecmint.com/different-types-of-linux-shells/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-03
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: linux
detection:
selection:
ParentImage|endswith: '/java'
CommandLine|contains:
- '/bin/sh'
- 'bash'
- 'dash'
- 'ksh'
- 'zsh'
- 'csh'
- 'fish'
- 'curl'
- 'wget'
- 'python'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious Kernel Dump Using Dtrace
Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1
view Sigma YAML
title: Suspicious Kernel Dump Using Dtrace
id: 7124aebe-4cd7-4ccb-8df0-6d6b93c96795
status: test
description: Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1
references:
- https://twitter.com/0gtweet/status/1474899714290208777?s=12
- https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace
author: Florian Roth (Nextron Systems)
date: 2021-12-28
tags:
- attack.discovery
- attack.t1082
logsource:
product: windows
category: process_creation
detection:
selection_plain:
Image|endswith: '\dtrace.exe'
CommandLine|contains: 'lkd(0)'
selection_obfuscated:
CommandLine|contains|all:
- 'syscall:::return'
- 'lkd('
condition: 1 of selection*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_dtrace_kernel_dump/info.yml
Convert to SIEM query
high
Moderate
High FP
Suspicious LNK Command-Line Padding with Whitespace Characters
Detects exploitation of LNK file command-line length discrepancy, where attackers hide malicious commands beyond the 260-character UI limit while the actual command-line argument field supports 4096 characters using whitespace padding (e.g., 0x20, 0x09-0x0D).
Adversaries insert non-printable whitespace characters (e.g., Line Feed \x0A, Carriage Return \x0D) to pad the visible section of the LNK file, pushing malicious commands past the UI-visible boundary.
The hidden payload, executed at runtime but invisible in Windows Explorer properties, enables stealthy execution and evasion—commonly used for social engineering attacks.
This rule flags suspicious use of such padding observed in real-world attacks.
view Sigma YAML
title: Suspicious LNK Command-Line Padding with Whitespace Characters
id: dd8756e7-a3a0-4768-b47e-8f545d1a751c
status: experimental
description: |
Detects exploitation of LNK file command-line length discrepancy, where attackers hide malicious commands beyond the 260-character UI limit while the actual command-line argument field supports 4096 characters using whitespace padding (e.g., 0x20, 0x09-0x0D).
Adversaries insert non-printable whitespace characters (e.g., Line Feed \x0A, Carriage Return \x0D) to pad the visible section of the LNK file, pushing malicious commands past the UI-visible boundary.
The hidden payload, executed at runtime but invisible in Windows Explorer properties, enables stealthy execution and evasion—commonly used for social engineering attacks.
This rule flags suspicious use of such padding observed in real-world attacks.
references:
- https://syedhasan010.medium.com/forensics-analysis-of-an-lnk-file-da68a98b8415
- https://thehackernews.com/2025/03/unpatched-windows-zero-day-flaw.html
- https://www.trendmicro.com/en_us/research/25/c/windows-shortcut-zero-day-exploit.html
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-03-19
tags:
- attack.initial-access
- attack.execution
- attack.t1204.002
logsource:
category: process_creation
product: windows
detection:
selection_img:
- ParentImage|endswith: '\explorer.exe'
- ParentCommandLine|contains: '.lnk'
selection_cmd:
- CommandLine|contains:
- ' ' # Padding of SPACE (0x20)
# - ' ' # Horizontal Tab (0x9)
- '\u0009'
- '\u000A' # Line Feed
- '\u0011'
- '\u0012'
- '\u0013'
- '\u000B' # Vertical Tab
- '\u000C' # \x0C
- '\u000D' # \x0D
- CommandLine|re: '\n\n\n\n\n\n' # In some cases \u000[ABCD] are represented as a newline in the eventlog
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location
Detects loading of dbgcore.dll or dbghelp.dll from uncommon locations such as user directories.
These DLLs contain the MiniDumpWriteDump function, which can be abused for credential dumping purposes or in some cases for evading EDR/AV detection by suspending processes.
view Sigma YAML
title: Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location
id: 416bc4a2-7217-4519-8dc7-c3271817f1d5
related:
- id: 9f5c1d59-33be-4e60-bcab-85d2f566effd
type: similar
status: experimental
description: |
Detects loading of dbgcore.dll or dbghelp.dll from uncommon locations such as user directories.
These DLLs contain the MiniDumpWriteDump function, which can be abused for credential dumping purposes or in some cases for evading EDR/AV detection by suspending processes.
references:
- https://blog.axelarator.net/hunting-for-edr-freeze/
- https://www.zerosalarium.com/2025/09/EDR-Freeze-Puts-EDRs-Antivirus-Into-Coma.html
- https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-27
modified: 2026-01-09
tags:
- attack.credential-access
- attack.defense-impairment
- attack.t1003
- attack.t1685
logsource:
category: image_load
product: windows
detection:
selection_img:
Image|contains:
- ':\Perflogs\'
- ':\Temp\'
- ':\Users\Public\'
- '\$Recycle.Bin\'
- '\Contacts\'
# - '\Desktop\'
- '\Documents\'
# - '\Downloads\'
- '\Favorites\'
- '\Favourites\'
- '\inetpub\wwwroot\'
- '\Music\'
- '\Pictures\'
- '\Start Menu\Programs\Startup\'
- '\Users\Default\'
- '\Videos\'
# - '\AppData\Local\Temp\' some installers may load from here
selection_dll:
ImageLoaded|endswith:
- '\dbgcore.dll'
- '\dbghelp.dll'
condition: all of selection_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/image_load/image_load_win_susp_dbgcore_dbghelp_load/info.yml
Convert to SIEM query
high
Moderate
Medium FP
Suspicious MSExchangeMailboxReplication ASPX Write
Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation
view Sigma YAML
title: Suspicious MSExchangeMailboxReplication ASPX Write
id: 7280c9f3-a5af-45d0-916a-bc01cb4151c9
status: test
description: Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation
references:
- https://redcanary.com/blog/blackbyte-ransomware/
author: Florian Roth (Nextron Systems)
date: 2022-02-25
tags:
- attack.initial-access
- attack.t1190
- attack.persistence
- attack.t1505.003
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith: '\MSExchangeMailboxReplication.exe'
TargetFilename|endswith:
- '.aspx'
- '.asp'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
Showing 551-600 of 763